Slack data export download

This rule is part of a beta feature. To learn more, contact Support.

Set up the slack integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a Slack export, such as a channel export, manual export, or manual user export, is downloaded.

Strategy

This rule monitors Slack events for when a channel export, manual export, or manual user export is downloaded. These export actions involve downloading a significant amount of Slack data, including conversations, files, and user information. Unauthorized exports could indicate a potential data breach, insider threat, or misuse of administrative privileges.

Potential risks associated with these export actions include:

  • Unauthorized access to and exfiltration of sensitive company data.
  • Insider threats downloading and sharing confidential information.
  • Exposure of private conversations, files, and user details to unauthorized parties.

Triage and response

  1. Determine if the export download is expected by:

    • Contacting the user or admin {{@usr.email}} who initiated the export to verify the legitimacy of the request.
    • Reviewing the context and scope of the export, including:
      • The type of data exported (e.g., specific channels or user data).
      • The time and date of the export and the business justification for the action.
    • Checking Slack logs for other unusual or suspicious activity by the user, such as mass downloads, file sharing, or privilege escalation.
  2. If the export is unauthorized or unexpected:

    • Begin your organization’s incident response process and investigate further.
    • Analyze the exported data for sensitive information, and determine the scope of exposure.
    • Monitor for any further attempts to export data or download sensitive information across the workspace.